By Steve Durbin
Information security threats are worsening by the day. Organizations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, a proliferation of data, increased regulation and a debilitating skills shortage.
With the global security threat landscape changing on a daily basis, far too often I’m seeing organizations being left behind. To take advantage of emerging trends in both technology and cyberspace, organizations need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact both business reputation and shareholder value.
At the Information Security Forum, we recently released Threat Horizon 2018, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world. In Threat Horizon 2018, we highlighted the top three emerging threat themes, as determined by our research, to information security over the next two years.
Let’s take a quick look at these threats and what they mean for your organization:
Technology Adoption Will Dramatically Expand the Threat Landscape
Over the next two years, technology will increasingly become an integral part of everyday life in modern society, both at a business and a personal level. Organizations will seek to maximize efficiency and effectiveness through improved connectivity. However, with these benefits will come associated threats in an expanded and more complex security threat landscape highlighted by the growth of the Internet of things (IoT).
The billions of devices that comprise the IoT will collect a wide variety of data from users, who will be unaware that it is happening, where the data is being stored or who has access to it. Additionally, these devices may be inadequately protected, exposing critical infrastructure – such as industrial control and financial systems – to malicious actors.
As organizations deal with this complex digital environment, they will respond by automating tasks previously performed by people. Human cognitive abilities will be regarded as a bottleneck to task completion and efficiency. In response, algorithms will be increasingly used to ensure tasks are performed with accuracy and timeliness. However, the interactions between these algorithms will become complex to understand introducing the potential for significant vulnerabilities. As a consequence, new challenges will be created for those tasked with identifying, assessing and managing the resulting information security risks.
The Ability to Protect Will Progressively Be Compromised
Dealing with cyber-attacks and avoiding data breaches is enough to keep most organizations busy, but this will become even more challenging as established methods of information risk management are eroded or compromised by a variety of (usually non-malicious) actors.
The problems will begin at the top, with misalignment between board expectations and the reality of the security function’s capability. Having increased information security budgets, the board will expect change to happen quickly and may not fully appreciate the scale of the organization’s information security challenges. When a major incident occurs, this misalignment will be exposed for all to see.
These challenges are multiplied when knowledge of software vulnerabilities is deliberately suppressed. This will happen with increasing frequency as security researchers discover vulnerabilities, only to be threatened with legal action by the manufacturer if they disclose the details publicly. This will prevent organizations from maintaining and strengthening their security.
The financial impact of some information security risks are already being transferred through cyber-insurance. However, several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber-insurance altogether. This will make cyber-insurance no longer financially viable for many organizations, and the market will contract and take several years to recover.
Governments Will Become Increasingly Interventionist
Governments around the world will take an even greater interest in scrutinizing both new and existing technology products and services used by their citizens. They will begin to adopt a more intrusive approach in dealing with organizations that handle personal information, especially major technology companies. These governments will justify their activities on the grounds of regulating disruptive business models and organized crime. However, their efforts in combating international crime – where many think they should be concentrating their resources – will fall significantly short of the expectation of many organizations.
A key trigger to the change in the attitude of many governments will be the effects of disruptive business models on local economies. These models include those introduced by Uber, Airbnb and Google, which often ignore or overlook local regulations when pursuing aggressive international growth targets. However, while regulatory action will begin by focusing on what could be perceived as anti-competitive practices, it will quickly be extended to include many other technology companies that could be accused of violating privacy and data protection regulations.
Many of the resulting regulations will be aimed at monitoring the location of information, in particular, information that travels internationally through cloud services. To overcome the natural time lag between the deployment of new technology and government regulation, many regulators will err on the side of caution and over-regulate. These actions will fragment cloud environments by incentivising both organizations and cloud providers to divide data centers along national boundaries.
Cyber-criminals will continue to exploit gaps between the law enforcement mechanisms of different countries. The new threat is that the capability of cyber-criminal groups is now equal to many nation states, and will surpass some of them in the near future. Organizations will respond by turning to their law enforcement agencies for assistance with cross-border investigations, leading to growing tensions between governments that are unwilling or incapable of collaborating to fight cyber-crime.
While a new and more open dialogue on these threats will gradually begin between the world’s major technology companies and governments, this is unlikely to produce tangible results in the period up to 2018.
The Time to Prepare is Now
Information security professionals are facing increasingly complex threats, some new and others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
As dangers increase on a global scale, methodical and extensive commitment is needed to ensure that practical plans are in place to deal with major changes the future could bring. Employees at all levels of the organization will need to be involved, including board members and managers in non-technical roles.
The three themes listed above expose the dangers that should be considered most prominent. They have the capacity to transmit their impact through cyberspace at break-neck speeds, particularly as the use of the Internet spreads. As a result, many organizations will struggle to cope as the pace of change intensifies. Consequently, at least until a conscious decision is taken to the contrary, the threats should appear on the radar of every organization, both large and small.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.